← Back to all briefings
Policy 7 min read Published Updated Credibility 88/100

Policy Briefing — California CCPA Enforcement Commences

California’s Attorney General is enforcing the CCPA, prioritising proof that notices, opt-out signals, vendor contracts, and request workflows match real-world data practices; penalties now hinge on evidence quality and sustained operational discipline.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On July 1, 2020 the California Department of Justice (DOJ) began enforcing the California Consumer Privacy Act (CCPA), converting statutory promises into regulator-reviewed obligations for any business that meets the law’s revenue, data volume, or commercial intent thresholds. The Attorney General’s office now expects organisations to prove how their notices, consent flows, and vendor controls map to actual data use, and it has signalled that investigative letters will escalate quickly when programmes cannot produce evidence. Early DOJ communications emphasised the July 1 start date and encouraged businesses to finalise compliance work, reinforcing that claims of pandemic disruption would not indefinitely delay enforcement.

Enforcement scope and authority

CCPA enforcement rests with the California Attorney General under California Civil Code §1798.155, which authorises civil penalties and injunctive relief. Enforcement was not contingent on the finalised regulations; the statute empowered the DOJ to investigate and litigate based on the law’s core duties, including notice at collection, sale opt-outs, and verifiable consumer requests. The DOJ has also noted that complaints, news coverage, and referrals from other agencies shape investigative priorities, so gaps that attract consumer attention—such as ineffective opt-out links or opaque sharing with ad-tech partners—carry heightened risk.

The enforcement timeline is intertwined with rulemaking. Final regulations under Title 11, Division 1, Chapter 20 of the California Code of Regulations became effective on August 14, 2020, clarifying definitions, notice placement, request workflows, and service provider limits. Although the California Privacy Rights Act (CPRA) would later create a dedicated agency and expand sensitive data controls, the Attorney General retained authority over CCPA violations occurring before CPRA’s operative date and has continued to pursue cases involving opt-out failures and inaccurate disclosures.

Penalties, cures, and real-world precedents

The CCPA authorises civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation, with each affected consumer treated as a separate violation in DOJ calculations. While the statute originally offered a 30-day cure period after notice of alleged noncompliance, the cure must fully address the violation and prevent recurrence; superficial fixes risk further action. CPRA later removed the guaranteed cure period for violations occurring on or after January 1, 2023, reinforcing the need for sustained compliance rather than reactive patching.

Enforcement letters issued since 2020 have focused on sale opt-outs, privacy disclosures that do not match actual data sharing, and inadequate responses to verifiable consumer requests. The DOJ’s 2022 settlement with Sephora—finalised for $1.2 million and an injunction mandating Global Privacy Control (GPC) honouring—illustrates how failure to process opt-out signals and inaccurate privacy statements can yield financial penalties and mandated programme upgrades. That case also underscored that online trackers and analytics tags can constitute a “sale” of personal information when they enable cross-context behavioural advertising without appropriate contractual limits.

Consumer rights and notice requirements

Businesses must provide notice at or before the point of data collection describing categories of personal information, purposes, and whether data is sold or shared. Notices must be readable across devices, include a conspicuous “Do Not Sell or Share My Personal Information” link (or equivalent toggle), and explain how to submit requests. If personal information is used beyond the disclosed purpose, the business must deliver a refreshed notice before the new use begins.

Verifiable consumer requests cover access, deletion, and correction (under CPRA), while sale and sharing opt-outs apply to all consumers and opt-in consent is required for minors. Identity verification must balance fraud prevention with accessibility; regulations caution against collecting unnecessary data to verify a request. Responses must include data sources, business purposes, third parties receiving data, and a list of categories sold or disclosed for business purposes in the preceding twelve months.

Data governance expectations

Investigations frequently probe how well privacy notices align with underlying data inventories. Regulators expect an enterprise-wide catalogue that lists systems processing personal information, data elements (e.g., identifiers, geolocation, internet activity), purposes, retention limits, and downstream transfers. Mapping SaaS integrations and SDKs is critical because consumer opt-out and deletion signals must propagate to advertising pixels, analytics tools, customer data platforms, and cloud storage repositories.

Security obligations intersect with privacy. California Civil Code §1798.150 creates a private right of action for certain security incidents involving nonencrypted personal information, so enforcement readiness should include encryption-at-rest and in-transit controls, fine-grained access management, logging that supports forensic review, and incident response playbooks that integrate breach notification requirements under §1798.82.

Vendor and service provider management

Service provider contracts must prohibit selling data, restrict processing to specified purposes, mandate confidentiality, and require sub-processor approvals. The DOJ has scrutinised whether businesses classify third parties accurately: analytics or advertising partners without compliant contractual limits may be treated as “third parties,” meaning their trackers could trigger sale/sharing obligations and consumer opt-outs. Periodic vendor assessments, SOC 2 or ISO/IEC 27001 evidence reviews, and data protection addenda version control provide defensible proof that the business exercises diligence over its ecosystem.

Cross-border transfers remain a focus for multinational organisations. While CCPA does not restrict transfers by geography, investigators routinely request evidence that data leaving California remains subject to contractual safeguards and that foreign vendors honour deletion and opt-out signals. Documenting how GPC signals traverse content delivery networks, tag managers, and consent platforms helps demonstrate that opt-out coverage is complete.

Readiness steps and evidence production

Effective programmes treat CCPA readiness as an operational discipline rather than a one-time policy exercise. Practical steps include:

  • Programme governance: Establish a steering committee spanning privacy, legal, security, engineering, marketing, product, and customer support. Assign system owners who are accountable for implementing opt-out and deletion logic within their domains.
  • Data inventory refresh: Conduct quarterly inventory updates, reconciling production systems, data warehouses, SDKs, and API integrations. Tag data elements with purposes, retention periods, and sharing status to streamline disclosure accuracy.
  • Request lifecycle automation: Route consumer requests through a tracked queue that captures identity verification, data aggregation, legal review, and fulfillment. Automate exports from CRM, marketing automation, analytics, and ticketing systems to reduce manual risk, and test edge cases such as joint household requests.
  • Opt-out signal handling: Validate that website and mobile properties detect and honour GPC signals, update cookie banners and preference centres, and ensure downstream partners receive suppression lists or alternate tags that avoid cross-context advertising identifiers.
  • Training and tabletop exercises: Deliver role-based training that explains statutory rights, verification standards, and communication etiquette. Run tabletop drills simulating an Attorney General inquiry so teams can practice rapid document collection and consistent messaging.

Every action should generate evidence: ticket logs, screenshots of opt-out flows, data flow diagrams, contract redlines, and training completion reports. Store artefacts in a controlled repository with retention schedules and version history. During investigations, the ability to deliver a coherent evidence package within days can reduce disruption and demonstrate good faith.

Metrics, monitoring, and continuous improvement

Privacy leaders should operate dashboards that track request volumes, response time distributions, opt-out success rates, and vendor attestation cycles. Spikes in identity verification failures or deletion exceptions may signal systemic issues. Auditing scripts that crawl web properties for missing notices or broken links help catch regressions before regulators or consumers do. Pair quantitative metrics with qualitative feedback from customer support to identify confusing language or friction in verification steps.

Governance processes should include periodic policy reviews aligned to regulatory updates. When the DOJ issues FAQs or publishes enforcement examples, update internal guidance and consumer-facing disclosures accordingly. Coordinate with engineering release cycles so that new product features undergo privacy impact assessments and test cases before launch.

Forward-looking alignment with CPRA and other state laws

Although this briefing focuses on July 2020 enforcement, organisations should calibrate controls to meet CPRA and emerging state statutes. CPRA adds rights to correct inaccurate information, establishes the California Privacy Protection Agency, and introduces sensitive personal information limitations. Building modular data governance—such as purpose-based access controls, retention timers, and sensitive data registries—reduces rework as new rules take effect. Aligning with Virginia, Colorado, Connecticut, and Utah privacy laws through common data minimisation and consent management patterns can also streamline compliance across jurisdictions.

Finally, engage external counsel and industry groups to stay informed. Monitor DOJ press releases, formal rulemakings, and published settlement documents to understand enforcement theories and remediation expectations. Combining authoritative guidance with disciplined operational execution is the most reliable way to withstand regulator scrutiny and maintain consumer trust.

Sources

Zeph Tech equips clients with request-tracking playbooks, opt-out telemetry validations, contract templates, and CPRA transition roadmaps designed to withstand investigative scrutiny.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • California Consumer Privacy Act
  • CCPA enforcement
  • Privacy program governance
  • Consumer data rights
  • Regulatory investigations
Back to curated briefings